Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
-
Size
456KB
-
MD5
6ebb994d00938e37d43b4cb66fd5356d
-
SHA1
48a7117f5ed601381d744f949b66529e52251343
-
SHA256
69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2
-
SHA512
d9de4847d0cc0d9073bd8b4f6062014c37d9394baf8aeb912af5ad3078401e1a8ad25abfe943100f4c41cb64561d3e5bd2f8835cd881f0658ff9ebc8b2681266
-
SSDEEP
12288:KfLRrNGaW112bN1wW5I1UrqNnEKiIYZ6U0RsRJVlBMlh:KfL5NGa01WN5gEf6Wpoh
Malware Config
Extracted
formbook
4.1
ge06
azaharparis.com
nationaleventsafety.com
covesstudy.com
quinshon4.com
moderco.net
trailblazerbaby.com
time-edu.net
azeemtourism.com
anakmedan3.click
bookinternationaltours.com
ulksht.top
newswirex.com
dingg.net
waveoflife.pro
miamirealestatecommercial.com
rtplive77.xyz
bowllywood.com
automation-tools-84162.bond
booptee.com
ebx.lat
gdlongzhong.icu
seoulbeautytw.com
bulgarianarchive.com
pojipoji.com
mochibees-wylie.com
ecoboat.world
eroyfw.top
centralngs.com
youtube-manager.site
eatlust.com
geutik.cfd
credit-cards-16215.bond
lodsoab.com
jon188.ink
52iwin.win
juanmafit.com
gamemuggaz.com
oneresi.com
pj69vip12.cyou
west-paws.com
chaineccn.com
mentiti.com
modeparisiennefr.com
skyboxpro.net
versebuild.xyz
luxpsy.com
nivaarnalawgroup.com
c091627.com
preppal.shop
narrativepages.com
yqsoysy.com
diverseindiatours.com
batcavela.com
ayyp300.top
daqtpt.cfd
livers-guardplus.com
chucobuilt.net
qianxz109.xyz
carat-automotive.com
hndswicco.best
workwithray.live
sxchenggu.com
sanpan010.com
fufe066.xyz
fakeittilyoumakeitfinance.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2148-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2148-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2148-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2848-27-0x0000000000070000-0x000000000009F000-memory.dmp formbook behavioral1/memory/2848-29-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2492 heooiabir.exe 2148 heooiabir.exe -
Loads dropped DLL 2 IoCs
pid Process 2116 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 2492 heooiabir.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2492 set thread context of 2148 2492 heooiabir.exe 29 PID 2148 set thread context of 1236 2148 heooiabir.exe 22 PID 2148 set thread context of 1236 2148 heooiabir.exe 22 PID 2848 set thread context of 1236 2848 wscript.exe 22 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2148 heooiabir.exe 2148 heooiabir.exe 2148 heooiabir.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe 2848 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2492 heooiabir.exe 2148 heooiabir.exe 2148 heooiabir.exe 2148 heooiabir.exe 2148 heooiabir.exe 2848 wscript.exe 2848 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2148 heooiabir.exe Token: SeDebugPrivilege 2848 wscript.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2492 2116 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 28 PID 2116 wrote to memory of 2492 2116 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 28 PID 2116 wrote to memory of 2492 2116 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 28 PID 2116 wrote to memory of 2492 2116 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 28 PID 2492 wrote to memory of 2148 2492 heooiabir.exe 29 PID 2492 wrote to memory of 2148 2492 heooiabir.exe 29 PID 2492 wrote to memory of 2148 2492 heooiabir.exe 29 PID 2492 wrote to memory of 2148 2492 heooiabir.exe 29 PID 2492 wrote to memory of 2148 2492 heooiabir.exe 29 PID 1236 wrote to memory of 2848 1236 Explorer.EXE 30 PID 1236 wrote to memory of 2848 1236 Explorer.EXE 30 PID 1236 wrote to memory of 2848 1236 Explorer.EXE 30 PID 1236 wrote to memory of 2848 1236 Explorer.EXE 30 PID 2848 wrote to memory of 2732 2848 wscript.exe 31 PID 2848 wrote to memory of 2732 2848 wscript.exe 31 PID 2848 wrote to memory of 2732 2848 wscript.exe 31 PID 2848 wrote to memory of 2732 2848 wscript.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"3⤵PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f8dfd353d09136096e0996463892f727
SHA133ded541f75bc169cd2410cb5105b1fd9b372eb6
SHA2569fffdcedea07e45d8f46ece1949d1ab372c89ee427a6015bb99bd40fa2c9e09b
SHA512e0d7db124617b31f350411fd9b4d683b7aa0adbb839696b77a7fc4e0dfcbe72ba4ae58727f490733583adde19120ce700066d15b687ef082e83d1716fd696004
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b